Just over four months ago, the Internet at large became significantly more acquainted with the National Security Agency (NSA).

It's all thanks to Edward Snowden, a former NSA contractor (and longtime Ars reader) with access to an unprecedented volume of documents. Snowden's leaks detailed for the first time the vast scale of American international telecommunications surveillance. While many people may have speculated or even "known" about such capabilities, Snowden’s disclosures provided internal proof previously unavailable to the general public.

Ars has done its best to cover the day-by-day updates that have unfolded as a result of Snowden’s actions, both in terms of what we’ve learned of the government’s capabilities and what has changed since then. With most of the Ars staff at our annual two-day conference this week, we’ve decided to take some time to breathe and recap what we’ve learned so far. We've narrowed the revelations down to five, so this list is hardly exhaustive—but feel free to tell us what we’ve missed.

What we’ve learned:

American telcos are compelled to routinely hand over metadata to the government

As a way to prevent future leaks, the NSA fired nearly all its sysadmins

Privacy-minded e-mail providers shut themselves down under pressure

The Foreign Intelligence Surveillance Court (FISC) opened up and published docket and opinions

Patriot Act author said that NSA’s interpretation is overbroad

Congressional reforms introduced, remain slow-moving

Ain’t no party like a third party

The entire saga kicked off on June 5, 2013 when The Guardian first published a secret order issued by the FISC that required Verizon to hand over vast metadata to the NSA. The order specified that Verizon was required to share the information on an “ongoing, daily basis” and encompassed the phone records pertaining to all of Verizon's American customers, whether the communications were between US-based callers or between a US caller and an international caller.

While the Verizon order was the only one officially published to date, it’s been a working assumption that other American telcos have been served with similar FISC orders. Roughly six weeks after this first disclosure, the FISC renewed that order.

The government relies on a well-established (but increasingly challenged) part of American case law known as the “third-party doctrine.” This notion says that when a person has voluntarily disclosed information to a third party—in this case, the telco—the customer no longer has a reasonable expectation of privacy over the numbers dialed or call duration. Therefore, this doctrine argues, such metadata can be accessed by law enforcement with essentially no problem.

The following day, Glenn Greenwald, The Guardian journalist who first broke the story, revealed another bombshell. On June 6, 2013, he introduced the world to PRISM, a massive NSA spying program that involved data sharing through various household-name tech giants, including Facebook, Google, Microsoft, and others.

In connection to the PRISM news, Facebook published a blog post soon after, writing that it has “been in discussions with US national security authorities urging them to allow more transparency and flexibility around national security-related orders we are required to comply with.”

Facebook continued: “We’re pleased that as a result of our discussions, we can now include in a transparency report all US national security-related requests (including Foreign Intelligence Surveillance Act [FISA] as well as National Security Letters)—which until now no company has been permitted to do.”

Despite the positive tone, Facebook (and other companies) cannot disclose how many of the requests for user data that it received were from federal, state, or local authorities. The companies can't detail whether any federal letters were from the NSA, a FISA court, the FBI, or some other entity. Facebook said that overall, it received between 9,000 and 10,000 requests from authorities in the second half of 2012, pertaining to between 18,000 and 19,000 individual Facebook accounts. (Other companies have subsequently also argued to the government that they should be allowed to break out how many aggregate requests it receives, but many have been rebuffed so far.)

A special relationship

Within two months of the PRISM revelations, Greenwald published another codenamed program: XKeyscore.

This NSA spy program captures vast swaths of unencrypted HTTP traffic at secret sites that span the entire world. However, due to storage limitations, it seems that it can only keep that data for relatively short periods of time. As Ars previously described, it would be nearly impossible for the NSA to store all that data for an extended time. One published slide says that for a single 30-day period in 2012, the data included “at least 41 billion total records.”

By the end of July 2013, we learned directly from an FISC judge that no corporation ever served with a “business record” court order under the Patriot Act has ever challenged one. This is despite the fact that the law provides them a means to do so. In other words, when the government asked Verizon to hand over call records and other metadata to the NSA, the company did so without so much as a peep.

As the summer went on, it appeared that at least some of the Snowden trove was being shared by additional media outlets, including TheWashington Post and a few foreign outlets, particularly in Brazil and Germany. Some of those publications soon reported that there was also extensive spying by the NSA’s British sister spy agency, the Government Communications Headquarters (GCHQ).

"It's not just a US problem. The UK has a huge dog in this fight," Snowden toldThe Guardian. "They [GCHQ] are worse than the US."

The Guardian also reported that Snowden’s documents showed that the NSA paid around $152 million to the GCHQ since 2010. "GCHQ must pull its weight and be seen to pull its weight," a GCHQ strategy briefing reportedly said.

Later, Süddeutsche Zeitung (Google Translate) and German public broadcaster NDR (Google Translate) published not only the names of the companies but also their GCHQ nicknames: "Verizon ('Dacron'), BT ('Remedy'), Vodafone Cable ('Gerontic'), Global Crossing ('Pinnage'), Level 3 ('Little'), Viatel ('Vitreous'), and Interoute ('Streetcar')."

The German newspaper cited an internal GCHQ presentation slide as its source. It also slammed the GCHQ, saying that the organization had “lost all sense of proportion.”

Even with all those wrinkles, probably the most memorable (and darkly humorous) episode came from the disclosure of LOVEINT.

In August 2013, the Wall Street Journalintroduced the world to an internal term that NSA analysts have come up with to describe the act of spying on one’s ex-partner: LOVEINT. The word is reminiscent of existing spycraft parlance, like HUMINT (human intelligence) or SIGINT (signals intelligence). (As you'd expect, LOVEINT spawned endless Twitter jokes.)

Needless to say, many Americans, including Sen. Chuck Grassley (R-IA) were not exactly thrilled with the idea that NSA employees could put America’s vast surveillance capability to use spying on ex-boyfriends and ex-girlfriends. He immediately fired off a letter to the NSA Office of the Inspector General (OIG).

By late September 2013, the OIG’s September 11, 2013 response to Sen. Grassley was published on the senator’s website. Inspector General Dr. George Ellard wrote that the NSA had “two open investigations into alleged misuse of SIGINT and is reviewing one allegation for possible investigation.”

In each of these cases, NSA employees were either docked in pay or punished administratively. Some even left the agency before any further action could be taken. Ultimately, no criminal charges were brought against any of these subjects. Worse still, most of these instances appeared to largely be the result of reactive reporting by the “subject” (the person who conducted the LOVEINT abuse), not the result of proactive internal measures at the NSA.

- NSA exploits the dysfunction in Washington as it allows NSA to do whatever they please.

- NSA works the way it does because Congress wants it to.

- 90% of our fury ought to be directed at Congress. The other 90% to NSA and the other 90% to AT&T, Verizon, ISPs, search engine providers etc.

- Neither Congress or the WhiteHouse have any intention of revoking the Patriot Act. There's no will to review the legislation which authorizes the NSA to conduct a frontal assault on people's privacy.

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

This is one of the points that I think so very clearly illustrates why corporations should most definitely not be afforded the same sort of rights as a human being. Never mind their effectively limitless lifespan and their access to unfathomable wealth which can be used to manipulate politics to their advantage—they are soulless, remorseless, amoral entities which care for nothing but extending shareholder wealth.

Questioning the morality of complying with government orders that are clearly immoral (tho, technically, legal) doesn't even compute for corporations.

So I see no reason why they should be allowed to participate in activities that are clearly meant for moral (or even immoral) human beings.

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

Consider the US has been happy to ship actual people overseas so other countries can do the dirty work (extraordinary rendition, although apparently greatly restricted under the Obama administration), what's a little data as well?

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

Consider the US has been happy to ship actual people overseas so other countries can do the dirty work (extraordinary rendition, although apparently greatly restricted under the Obama administration), what's a little data as well?

Yeah, Obama decided it was okay to torture them ourselves instead of outsourcing it.

Basically, according to the NSA and their interpretation of the Patriot Act or any court concern, we are all guilty until proven innocent ... and they'll let us know when our innocence is actually proven.

You know, it's funny. I remember reading something somewhere along the lines of "innocent until proven guilty."

I wonder when this pendulum swing of the "terrorist scare" (similar to the "red scare" of the 1950s, IMHO) will swing back away from these steps into secret police and abandonment of the Bill of Rights and the Constitution.

Those documents are not "pick & choose" menus. People fought wars, burned homes, and killed one another for them.

At some point, the pendulum swing in all this will either go back toward equilibrium or it will swing across a line whose arc has not ever before ended non-violently.

My question is what are the concrete steps we - the average person - need to be taking to help restore the equilibrium?

Oh ungods, I couldn't help but laugh at this line... though I should really be sighing and shaking my head.

Though, on the other hand, it kinda fits in with the whole outsourcing trend of current day IT. Something not quite as feasible at home? That's okay, let's just outsource the issue to some foreign country. Besides, it'll probably be cheaper to do it that way. And if any problems do arise? Well, what a convenient scapegoat we have! Totally not our fault. Really.

This really deserves to be listed on a summary? If I remember correctly this was in a report that disclosed that they had on average one incident a year, and among those incidents they had a few cases where someone entered their ex's name.

Considering the thousands of NSA employees that likely had access, I would think that this small amount of stupid acts marks them as being incredibly better at following rules than the vast majority of humanity.

If more than zero incidents is unacceptable then you are holding the government to a standard that can't be met. Analysts are human beings. They are apparently much more law abiding and responsible than the average person, but they are still human and someone is going to use poor judgement sooner or later.

The issue is not that a small number of LOVEINT incidents occurred. There were probably more incidents of poking into data about celebrities. The issue is that it appeared so hard for the NSA to detect the LOVEINT and that the punishments were inconceivably light.

“To date no recipient of a production order has opted to invoke this section of the statute.”

That still makes the carriers out to be innocent. Both AT&T and Verizon approached the government about this and received millions for their work. They are active accomplices. AT&T has a parallel program working with the DEA which is, if anything, worse, because it doesn't even have the weak protections of FISA.

And while the NSA is doing surveillance theoretically for foreign intel and terrorism watch reasons, they are also providing information to the FBI and DEA, who are using it for law enforcement purposes, and doing "parallel construction" to conceal from the courts the true source of the information they are acting on it.

I think those are pretty critical parts of the story. Maybe it should have been a top 10 instead of 5.

Oh ungods, I couldn't help but laugh at this line... though I should really be sighing and shaking my head.

Though, on the other hand, it kinda fits in with the whole outsourcing trend of current day IT. Something not quite as feasible at home? That's okay, let's just outsource the issue to some foreign country. Besides, it'll probably be cheaper to do it that way. And if any problems do arise? Well, what a convenient scapegoat we have! Totally not our fault. Really.

I'm probably butchering this quote, but here it goes anyway.

Frasier: A patient told me the funniest story in session today Niles, but I can't tell you because of doctor-patient confidentiality.Niles: Ooh, I came up with a loophole. I'll be your psychiatrist for a minute, and that way you can tell me anything.

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

A Snowden leaked document disputes the idea that they're using the UK to circumvent US law:

Only one handpicked group of nations is excluded -- countries that the NSA has defined as close friends, or "2nd party," as one internal document indicates. They include the UK, Australia, Canada and New Zealand. A document classified as "top secret" states that, "The NSA does NOT target its 2nd party partners, nor request that 2nd parties do anything that is inherently illegal for NSA to do."

Wow, you guys were able to find 5 things that have changed as a result of the leaks? You must be the best investigative journalists on Earth, because from where I sit it seems like most people give just as few shits knowing the government spies on them as when they only assumed the government spies on them.

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

A Snowden leaked document disputes the idea that they're using the UK to circumvent US law:

Only one handpicked group of nations is excluded -- countries that the NSA has defined as close friends, or "2nd party," as one internal document indicates. They include the UK, Australia, Canada and New Zealand. A document classified as "top secret" states that, "The NSA does NOT target its 2nd party partners, nor request that 2nd parties do anything that is inherently illegal for NSA to do."

I am skeptical about these claims. Ok, we don't "request" such data. But I'm sure that if they find something without respecting our "minimization procedures," we don't turn our noses up at it. And vice versa.

Would somebody mind figuring out what this is "supposed" to be for? Supposedly all this "security" has been around to keep Americans safe. It is not. It is making a mockery of any constitutional or democratic rights that the American citizens supposedly enjoy.

Right now it looks like the NSA, the US Government, and a lot of telcoms/tech companies are scrambling to do damage control in what appears to be a serious breech of well - the rights and freedoms ostensibly enjoyed by Americans (and many citizens abroad as we now know).

One thing I've learned personally is how politically polarizing leaking classified information can be. It seems to some that there can be no classified information horrific enough to warrant breaking the chain of command. Violating our constitutional rights to some seems to take the back burner to doing what your superiors say and following the rules.

Oh, and how crazy some people can behave when you so much as breathe the T word*.

Basically, according to the NSA and their interpretation of the Patriot Act or any court concern, we are all guilty until proven innocent ... and they'll let us know when our innocence is actually proven.

You know, it's funny. I remember reading something somewhere along the lines of "innocent until proven guilty."

I wonder when this pendulum swing of the "terrorist scare" (similar to the "red scare" of the 1950s, IMHO) will swing back away from these steps into secret police and abandonment of the Bill of Rights and the Constitution.

Those documents are not "pick & choose" menus. People fought wars, burned homes, and killed one another for them.

At some point, the pendulum swing in all this will either go back toward equilibrium or it will swing across a line whose arc has not ever before ended non-violently.

My question is what are the concrete steps we - the average person - need to be taking to help restore the equilibrium?

I often wonder why people keep asking the bolded question. The answer involves hard work, sacrifice, and finding some common ground with people. The problem is you have to many straight party voters who think about identifying letters [D/R] rather than how a candidate votes or where that candidate's money comes from. If you really want to make a difference then go knock on some doors and explain to people what is happening. Get involved in your local politics and run for precinct chair. Vote by value rather than by party. Become a state delegate whenever you can. Personally, I'm working to get my so-called rep, Joe Barton, booted from office for his votes for the Patriot Act and the NSA among other bad things he's voted for. Ted Cruz, on the other hand, seems to have this head screwed on fairly straight.

This really deserves to be listed on a summary? If I remember correctly this was in a report that disclosed that they had on average one incident a year, and among those incidents they had a few cases where someone entered their ex's name.

Considering the thousands of NSA employees that likely had access, I would think that this small amount of stupid acts marks them as being incredibly better at following rules than the vast majority of humanity.

If more than zero incidents is unacceptable then you are holding the government to a standard that can't be met. Analysts are human beings. They are apparently much more law abiding and responsible than the average person, but they are still human and someone is going to use poor judgement sooner or later.

So if only one employee of a private company embezzles a million dollars once per year, it should be acceptable? Most companies have the common sense to require dual signatures or other methods to *prevent* such incidents, rather than ignoring them and writing them off to "poor judgment" after the fact. I would expect a government agency entrusted with great secrets to be more proactive than a private company.

Oh, and how crazy some people can behave when you so much as breathe the T word*.

* = terrorism

You said the T word!

There are leakers, spies, and whistleblowers, and their motives vary a lot from individual to individual. Of course, when asked, they all call themselves whistleblowers.

Leakers occasionally call themselves whistleblowers. I dont' recall McVeigh, Bin Laden or the Rosenbergs taking classified information and revealing it to the public, or calling themselves whistleblowers. There is no vagueness where you imply there is.

Oh, and how crazy some people can behave when you so much as breathe the T word*.

* = terrorism

You said the T word!

There are leakers, spies, and whistleblowers, and their motives vary a lot from individual to individual. Of course, when asked, they all call themselves whistleblowers.

Leakers occasionally call themselves whistleblowers. I dont' recall McVeigh, Bin Laden or the Rosenbergs taking classified information and revealing it to the public, or calling themselves whistleblowers. There is no vagueness where you imply there is.

Though terrorists might employ spies, the leaking we're talking about is pretty distinct from the acts of war targeting civilians to force political change (terrorism).

I think chipmunkofdoom2 meant that claiming to "prevent terrorism" is a way to get carte-blanche for your organization's snooping.

This really deserves to be listed on a summary? If I remember correctly this was in a report that disclosed that they had on average one incident a year, and among those incidents they had a few cases where someone entered their ex's name.

Considering the thousands of NSA employees that likely had access, I would think that this small amount of stupid acts marks them as being incredibly better at following rules than the vast majority of humanity.

If more than zero incidents is unacceptable then you are holding the government to a standard that can't be met. Analysts are human beings. They are apparently much more law abiding and responsible than the average person, but they are still human and someone is going to use poor judgement sooner or later.

So if only one employee of a private company embezzles a million dollars once per year, it should be acceptable? Most companies have the common sense to require dual signatures or other methods to *prevent* such incidents, rather than ignoring them and writing them off to "poor judgment" after the fact. I would expect a government agency entrusted with great secrets to be more proactive than a private company.

Those were all self-reported incidents.

A more app analogy would be an employee embezzles a million dollars and turns himself in while an unknown number of employees continue to embezzle money.

One of the key things we learned from the leaks (aside from the ones mentioned in the article) is that the NSA has incredible power over their supposed masters (White house and Congress) So much so that they are free to lie (Even under oath) to them shamelessly with no worry of repercussions.

This really deserves to be listed on a summary? If I remember correctly this was in a report that disclosed that they had on average one incident a year, and among those incidents they had a few cases where someone entered their ex's name.

Considering the thousands of NSA employees that likely had access, I would think that this small amount of stupid acts marks them as being incredibly better at following rules than the vast majority of humanity.

If more than zero incidents is unacceptable then you are holding the government to a standard that can't be met. Analysts are human beings. They are apparently much more law abiding and responsible than the average person, but they are still human and someone is going to use poor judgement sooner or later.

So if only one employee of a private company embezzles a million dollars once per year, it should be acceptable? Most companies have the common sense to require dual signatures or other methods to *prevent* such incidents, rather than ignoring them and writing them off to "poor judgment" after the fact. I would expect a government agency entrusted with great secrets to be more proactive than a private company.

Those were all self-reported incidents.

A more app analogy would be an employee embezzles a million dollars and turns himself in while an unknown number of employees continue to embezzle money.

In which case, I would expect the board of directors would fire the CEO, CFO, and a few others. "What, you never anticipated this, then AFTER the first self-reported embezzlement, you still did nothing to prevent other occurrences? And several more have confessed but even now you have no audit to tell you just how many unreported thefts have taken place nor how much has been stolen?!?" This sounds like a comedic farce rather than responsible management.

This is one of the worst parts for me. The defense that "just because we didn't do the dirty work, it's not illegal or unconstitutional" should be one that bothers everyone. It smacks of hiring a hit man so you don't get charged with murder.

A Snowden leaked document disputes the idea that they're using the UK to circumvent US law:

Only one handpicked group of nations is excluded -- countries that the NSA has defined as close friends, or "2nd party," as one internal document indicates. They include the UK, Australia, Canada and New Zealand. A document classified as "top secret" states that, "The NSA does NOT target its 2nd party partners, nor request that 2nd parties do anything that is inherently illegal for NSA to do."

Is there anything inherently illegal for the NSA to do? Of course, I mean in the opinion of the NSA.